"There is no absolute security"

Interview with Prof. Herbert Weber, Head of the Trusted Cloud competence center

04/01/2015

The safe use of cloud services is a challenge for small businesses in particular – yet one that pays off. To make the introduction to this topic easier for users, the independent Center of Excellence Trusted Cloud is currently working on guidelines. Professor Herbert Weber heads the cloud squad and talks with EuroShop about the project, threat scenarios for retail and the added benefit of cloud services.

Professor Weber, for the past year, it has been all about cloud services here at the Center of Excellence at the German Federal Ministry for Economic Affairs and Energy (German: Bundesministerium für Wirtschaft und Energie), ranging from technology to security all the way to data protection. What is the goal of the Center?

Herbert Weber: The Center wants to provide independent advice for all parties concerned. Trusted Cloud supports the development of innovative, secure and legally compliant cloud solutions that are particularly suited for use in small and medium-sized businesses. We conduct secondary research of the technology program.

When can a user be sure that he/she chooses suitable and secure cloud services?

Weber: There is no absolute security! When you deal with cloud computing, you need to be ready to spend some time with it. The same applies to the technologies. There are 15 to 20 technology routes relevant to the topic of security. In fact, you need to know your way around every one of these technologies to either decide on your own how secure you would like to be or have a consultant who is well versed in them. It is essentially up to the user to find out how secure the product is. There are a number of enterprises that strive towards checking and rating security. This is the typical situation for small business in particular.

Why is security so important and how can it be achieved?

Weber: There is an abundance of threat scenarios particularly in the area of online shops. You can take a multitude of measures to prevent threat scenarios of which there are constantly new ones developing. Although this is expensive, it is unavoidable, because you would otherwise incur even more damages at another point. Security costs money; a lot of security maybe costs too much money. In this case, you need to balance safety and costs.

How serious do cloud service providers take the security of their services?

Weber: It varies. Some have very great services and take things very seriously. Others are more careless.

How reliable are testing facilities for cloud providers?

Weber: They are neither reviewed nor accredited, because so far there are no independent certifiers. Therefore, it remains somewhat of a matter of trust, but above all a question of contract design. The user should agree in a contract with the provider as to what the service includes.

That sounds challenging...

Weber: Contract conclusions are difficult! I think there really aren’t any truly good standard contracts. In terms of security the German Federal Ministry for Security in Information Technology (German: Bundesamt für Sicherheit in der Informationstechnik) has drafted basic requirements to subsequently also be able to write specifications into contracts.

You are currently working on support for parties interested in cloud services.

Weber: By the end of the project in March 2015, we will have created a guideline with which interested parties are at least introduced to the subject and are able to learn what security and data security mean. The guide is meant to show what they can gain by obtaining information and how they can implement it in their environment. When we include orientational knowledge into these guidelines, users can be assured that this takes place without a business agenda, because we hold a neutral and independent position, are neither operators nor providers of cloud technologies.

Now we talked a lot about the dangers of the Cloud. Why are expenditures particularly worthwhile for retailers?

Weber: Cloud computing is going to have a big influence on the use of information and communication technologies in the future. With cloud computing, we have the chance to cause a complete modernization of IT applications. Especially in the small business field, we are not exactly champions as far as our standards of information and communication technologies are concerned. This gives us the chance to be able to achieve an extensive and complete restoration of IT technology use in the economy.